October is Cybersecurity Awareness Month, and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is calling on all of us to “Secure Our World,” with a simple message that calls everyone to action “to adopt ongoing cybersecurity habits and improved online safety behaviors.” This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals.
While multi-factor authentication (MFA) isn’t new to most users, user sentiment toward the tool varies widely. For those who have several personal accounts that require MFA, adding another for work is no big deal. Others may be less familiar or willing to adopt the technology, and tend to lag or run into friction when it comes to incorporating it into their work process.
Because most organizations will likely have both MFA champions and hard resisters, sufficiently equipping users is critical to rollout success. In this article, we’ll outline the user-side challenges many employees face when adopting MFA, how IT admins can rectify them. We’ll use JumpCloud Protect, a free MFA tool, as a case study for ensuring smooth rollout and adoption.
MFA User Challenges and Barriers to Adoption
Understanding the common challenges surrounding MFA adoption is key to determining the right rollout strategies. Generally speaking, MFA may be difficult to deploy because of:
1. Device incompatibility — MFA often requires employees to use their personal devices. Clarify which OS and versions the MFA technology works on, and present alternatives for those on different systems.
2. Setup problems — Because people learn in different ways, your MFA setup instructions should be available in more than one format. For example, you could offer a guided simulation as well as written instructions.
Additionally, because users will be setting up the tool on different platforms, they’ll need access to clear steps for their device type. Be sure to provide setup instructions that are unique to each OS.
3. Lack of understanding of how to use the tool — Perhaps one of the most common MFA challenges is usability. Not many MFA providers include end-user training, so many users are left to learn how to use the technology on their own. Additionally, with many users now working remotely, there’s less of a peer support system and fewer opportunities for offering hands-on help during the adoption period.
Because this is such a sticking point, don’t overlook the value of vendor-offered user training when weighing different tool options. Having training available can significantly reduce adoption time, improve the user experience, and reduce the security vulnerabilities created by tool misuse or avoidance.
4. Lack of buy-in — If users don’t understand the goal of a tool and why they should use it, they’ll quickly find a way to avoid it or work around it, which creates significant vulnerabilities. Communicate your company’s reasoning for why it’s adopting the tool and how it secures both company data and employees’ personal information.
Note: While the insecurity of the traditional password may be old news to IT admins, it may not be to the lay user. Try conveying the security benefits of MFA by first explaining the problems with the traditional password.
5. Poor user experience — As MFA adoption is already a sticking point, an MFA tool that delivers a poor user experience is unlikely to take hold.
How to Address These Challenges
To ensure smooth rollout and adequately support their users, IT admins should make sure they enable users in three different stages:
- Pre-rollout: To account for both early and late adopters, admins need to give users ample time to prepare for new technology adoption. Alert users more than once — preferably through varied media — to make sure everyone sees the message. In this messaging, include:
- What to expect. Let users know what’s going to change, where the change will occur, whether they’ll need to use a personal device, and what the UX will look like to avoid surprises.
- Reasoning for the change. You’re more likely to facilitate buy-in if users understand why the new technology is important.
- Steps users need to take before rollout. If users need to download an application, register their device, or take other measures, let them know as early as possible with clear instructions. This will help speed up rollout.
- Resources to help users prepare. This could include support documents, courses, simulations, demos, and more. Consider making these optional; some users may not need the extra help and some might greatly appreciate it.
- Implementation: Implementation should start with training. If the MFA vendor offers training, demos, or other user enablement material, circulate it to employees to offer hands-off guidance. If the tool doesn’t come with user enablement, consider holding training sessions to make sure users adopt and configure the tools correctly.
Give users some time — at least a couple of weeks — to get onboarded and comfortable with the new tool. During this time, make sure they have access to training materials, and IT teams should prepare for an influx of questions and help desk tickets. Even tools with the best training materials will have outliers and employees who need extra help or troubleshooting assistance.
- Ongoing use: After rollout is complete, IT admins still need to keep an eye on MFA, watching for lockouts, users or devices with disabled MFA, suspicious login attempts, and other issues. Ideally, IT admins should be able to monitor and control MFA through a central dashboard, like the JumpCloud Admin Portal.
How JumpCloud Protect Combats These Challenges
JumpCloud Protect is a free MFA tool that offers both push notifications and time-based one-time passwords (TOTP) as secondary factors for login. It’s designed to provide a seamless MFA experience that doesn’t require you to manage multiple vendors (more vendors usually means more friction, expenses, and risk). JumpCloud Protect is easy to implement and manage from the JumpCloud Admin Portal, facilitating smooth and secure rollouts.
JumpCloud prioritized the end-user experience throughout the development of the tool to make sure it would be easy to adopt and use. The result is an MFA tool that delivers an excellent user experience in the following ways:
JumpCloud Protect is designed to be user-friendly from the get-go. It works on both iOS and Android platforms (available from the Apple App Store and Google Play Store), and it’s easy to set up. All users have to do is download the app and scan a QR code in their User Portal to start authenticating with the app (get the full step-by-step here).
Further, JumpCloud Protect uses push notifications, which are some of the easiest MFA factors to use — all it takes is the tap of a button on a push notification that appears on the user’s personal phone or device. Push notifications are available for the JumpCloud User Portal and JumpCloud Single Sign-On (SSO), which includes the majority of what many users will be working with day to day (and are likely most familiar with when it comes to MFA in their personal lives). In addition, it still includes TOTP MFA for authentication to other systems and resources, like their Windows, Mac, or Linux devices, RADIUS, and password change attempts.
One of the main reasons MFA adoption among users is so difficult is that most providers don’t offer end-user training. They’ll usually offer instructions to the admins setting up the technology, but, often, the users are left to fend for themselves.
JumpCloud Protect offers training for both IT admins and end users. End-user training includes a course, guided simulations on user enrollment and user login, and support documentation to help users familiarize themselves with the tool, see it in action, and go back and reference support material when they get stuck.
Easy Management and Troubleshooting
JumpCloud Protect integrates seamlessly with the User Portal and the Admin Portal, making issues easy to spot and troubleshoot. Admins maintain central control over MFA enablement from the Admin Portal, and they can drill down into MFA status by user or device. MFA requirements can be configured into smaller, more specific groups with conditional access policies (like only requiring remote workers to use MFA, for example). Turning MFA on or off for a user or device is as easy as toggling a switch.
JumpCloud also offers Remote Assist free for an unlimited number of devices, which allows you to remotely access and control users’ devices. Anytime a user runs into an issue — say, with setup or troubleshooting — you can remote directly into their device to both see the problem and implement solutions first-hand.
Optimizing the MFA User Experience
The above user experience initiatives help ensure faster adoption, better security, happier and more productive users, and fewer help desk tickets (which means a happier and more productive IT team). And when it’s combined with your directory service, it helps you consolidate vendors and cost. Learn more about JumpCloud Protect.